You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hello I've not been to a tech help forum in awhile. I wouldn't say I'm a professional in any regaurd, but as I and my friends are decent with computers, we tend to manage okay on our own normally. However, recently I've had an issue that I can't resolve and I'm hoping someone here can. I have a problem with some malware that has somehow entered my computer. It was first noticed as adware but is clearly more than that.

My computer is the only computer in the house atm, which is chiefly used by me and my girlfriend. It was she who first witnessed the symptoms of an infection on my computer. She claims that firefox was acting "werid." As I was not present, I'm not sure exactly what happened, but she claims it was being super slow and locking up. At some point it claimed it needed updated. She allowed this to occur and then restarted the computer, because the browser was still being slow.

When she booted my computer back up, firefox showed many ads and adblock plus was disabled. Hearing this, I was instantly concerned. When I got on the computer to take a look, I noticed that my adblocker was not even listed in my firefox add ons and there clear signs that my browser was being affected by adware. Ads from untrustworthy sites were showing up on all webpages (like tremdous sales for example) I was also getting redirects to fake virus scan sites. I know she doesn't go to any of these sites, as her use of the computer is usually limited to sites I know cause no trouble already, so this errounous behavior was quite obvious.

So right away, I suspected something had been installed on my computer. I went to my programs list in the control panel. Sure enough, I saw several programs, which I know to be adware. (like tredmous sales, BrWOWser, and incermedit to name a few) I uninstalled these and tried my browser again. No such luck, the adware was less, but still there and for some reason a google chrome window appeared although I had not clicked on chrome at all. After running anti-spyware and virus scans, it became clear I was infected with a gen of some kind, because these adware programs kept reappearing and the redirect was still present.

I went ahead and got the trial to avast! premier to hold everything at bay, even doing a boot scan, which did indeed pick up malware gens. Although most of the adware doesn't seem to be showing up in my programs list now, I must have something masking itself, because the infection persists. Avast firewall has to block redirects regularly. Believeing my firefox might be affected, I even reset it.. no luck. I tried to reinstall it while in safe mode, still no luck.

Thinking back on google chrome, I don't recall if I installed it or not. I may have, I just don't use it much. As the reinstall of firefox did not help much, I chose to look for additional tools to help me with my problem. This led me combofix. In the spirit of full disclosuer, I did run it, because after talking with a friend of mine, I was told it can help take infections out of chrome and by this point, I was feeling rather frustrated. I hope having already run the program does not bar me from help here.. I ran it before I decided I needed to post online.

Now that I know I need some assistance, I will leave chrome alone for now and my log from combofix will be made available. As per the prep work that is often asked for I installed farbar and ran it. The "addition.txt" from farbar is also available.

It is worth noting that so far, combofix appears to have deleted something off of chrome because I saw chrome files listed in the program. I no longer see the ads or the links that the adware was placing down in firefox. I do see the ocassional popup, but this could be due to the lack of an adblocker. (since I did reinstall my browser) I have left chrome alone since the combofix scan, but although my firefox browser appears fuctional again, it's not over. Avast's active protection is still needing to block several redirects, even when all I do is leave firefox open for awhile.

Also in case it helps, here are some of the results of my avast scans, which occured before I ran combo fix:

BC AdBot (Login to Remove)

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully:

My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.

Perform everything in the correct order. Sometimes one step requires the previous one.

If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.

Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.

Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.

If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.

If I don't reply within 24 hours please PM me!

Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

Step 1

Please run a FRST scan. This will help us diagnose your problem.

Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

Start FRST with administator privileges.

Make sure the option Addition.txt is checked and press the Scan button.

When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Did as requested. Uninstalled IncrementEdit and ManticoreInspector using Revo, however search protection failed to show up as a listed program, so I'm not sure what to do about that. It does appear that adw cleaner found it though.

They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

I have. It comes back as "database is up to date" and the "scan for rootkits" option in settings is checked. But the log file shows that rootkit scans are disabled. I wonder if I have a curropt reg value.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Name: Hook Test Driver
Description: Hook Test Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SDHookDriver
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

System errors:
=============
Error: (04/12/2015 11:42:01 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

Error: (04/12/2015 11:42:01 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

Error: (04/12/2015 11:42:01 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

Error: (04/12/2015 11:42:01 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

Error: (04/12/2015 11:41:51 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

Error: (04/12/2015 11:41:51 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

CodeIntegrity Errors:
===================================
Date: 2015-04-11 10:07:48.092
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-04-11 10:07:48.042
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.